Disclosed herein are systems, methods, and non-transitory computer-readable storage media for performing in-place encryption. A system configured to practice the method receives a request from a user to encrypt an unencrypted volume of a computing device and identifies, generates, and/or randomly selects a volume key. Then the system converts the unencrypted volume to an encryptable format divided into portions. The system then encrypts, based on the volume key, the encryptable volume, portion by portion, to enable the user to use the computing device while encrypting. The system can maintain an encryption progress status and display the encryption progress status. The system can monitor disk accesses to the encryptable volume, and, when the disk accesses exceed a first threshold, apply a back-off algorithm to stop encrypting until the disk accesses fall below a second threshold. Thus, the computing device can be used while the encryption occurs in the background.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of performing encryption, the method comprising: receiving a request from a user to encrypt an unencrypted volume of a computing device; identifying a volume key; converting the unencrypted volume to an encryptable format to yield an encryptable volume divided into unencrypted portions, the encryptable volume further including a temporary offset space to store file system metadata and scratch data used to encrypt the unencrypted portions, the temporary offset space positioned on the encryptable volume at a location between encrypted and unencrypted portions; and encrypting, based on the volume key, each one of the unencrypted portions separately to create a corresponding encrypted portion at a location on the encryptable volume that previously held a different unencrypted portion; and shifting the temporary offset space on the encryptable volume to a new location between newly encrypted and remaining unencrypted portions after encrypting each one of the unencrypted portions, wherein the user accesses a temporary copy of the unencrypted portion stored in a working space during the encrypting of the unencrypted portion and wherein, in response to receiving a decryption request from the user, retrieving a decryption volume key associated with the encrypted volume and decrypting, based on the decryption volume key, the encrypted partition, block by block, to enable the user to use the computing device during the decrypting as if the encrypted partition was already decrypted.
2. The method of claim 1 , further comprising: maintaining an encryption progress status; and displaying the encryption progress status to the user.
3. The method of claim 1 , further comprising: monitoring user disk accesses to the encryptable volume; and when the user disk accesses exceed a first threshold, applying a back-off algorithm to temporarily stop encrypting until the user disk accesses fall below a second threshold.
4. The method of claim 1 , wherein the encrypting is performed by one of a linear approach, a random approach, an unused portion approach, and an order of importance approach.
5. The method of claim 1 , further comprising: reserving the working space on the encryptable volume.
6. The method of claim 5 , wherein converting the unencrypted volume to the encryptable format further comprises shrinking the unencrypted volume to make room for the working space.
7. The method of claim 1 , wherein the encrypting further comprises: reading the unencrypted portion; storing a copy of the unencrypted portion in memory; encrypting, via a processor, the copy of the respective portion in memory to yield the encrypted portion; creating the temporary copy of the unencrypted portion into the working space; and storing the encrypted portion in a temporary location, wherein the temporary location becomes a permanent location of the encrypted portion, and wherein a former unencrypted portion becomes a new temporary location to hold an encrypted version of a next portion.
8. The method of claim 1 , wherein the portions are of a uniform size.
9. The method of claim 1 , wherein the encrypting the continues in a consistent state without data loss after at least one of a reboot of the computing device, a loss of power to the computing device, and a fatal system error in the computing device.
10. The method of claim 9 , wherein the portions are adaptively sized based on at least one of a physical characteristic of the unencrypted volume, an attribute of an operating system running on the unencrypted volume, a user action, a performance consideration, a power consumption consideration, a noise consideration, a thermal threshold consideration, and a sleep state of the computing device.
11. A computing device comprising: a processor; a storage device having at least one partition; an operating system for controlling the processor and residing on at least part of the at least one partition of the storage device; an encryption process configured to control the processor to encrypt an unencrypted partition of the at least one partition by performing steps comprising: receiving an encryption request from a user; identifying an encryption volume key; converting the unencrypted partition to an encryptable format to yield an encryptable partition divided into unencrypted regions, the encryptable partition further including a temporary offset space to store file system metadata and scratch data used to encrypt the unencrypted regions, the temporary offset space positioned on the encryptable partition at a location between encrypted and unencrypted regions; encrypting, based on the encryption volume key, each one of the unencrypted regions separately to create a corresponding encrypted region at a location on the encryptable partition that previously held a different unencrypted region; and shifting the temporary offset space on the encryptable partition to a new location between newly encrypted and remaining unencrypted regions after encrypting each one of the unencrypted regions, wherein the user accesses a temporary copy of the unencrypted region stored in a working space during the encrypting of the unencrypted region; and a decryption process configured to control the processor to decrypt an encrypted partition of the at least one partition by performing steps comprising: receiving a decryption request; retrieving a decryption volume key associated with the encrypted partition; and decrypting, based on the decryption volume key, the encrypted partition, block by block, to enable the user to use the computing device during the decrypting as if the encrypted partition was already decrypted.
12. The computing device of claim 11 , wherein the encryption module is further configured to control the processor to display an indication of progress of encrypting the unencrypted partition.
13. The computing device of claim 11 , wherein an intermediate layer residing between an operating system of the computing device and the unencrypted volume encrypts the unencrypted volume.
14. A non-transitory computer-readable storage medium storing instructions which, when executed by a computing device, cause the computing device to perform encryption, the instructions comprising: receiving a request from a user to encrypt an unencrypted partition on a volume of a computing device; generating a volume key based on the request; converting the unencrypted partition to an encryptable format to yield an encryptable partition divided into unencrypted chunks, the encryptable partition further including a temporary offset space to store file system metadata and scratch data used to encrypt the unencrypted chunks, the temporary offset space positioned on the encryptable partition at a location between encrypted and unencrypted chunks; encrypting, based on the volume key, each one of the unencrypted chunks separately to create a corresponding encrypted chunk at a location on the encrypted partition that previously held a different unencrypted chunk; and shifting the temporary offset space on the encryptable partition to a new location between newly encrypted and remaining unencrypted chunks after encrypting each one of the unencrypted chunks, wherein the user accesses a temporary copy of the unencrypted chunk stored in a working space during the encrypting of the unencrypted chunk and wherein, in response to receiving a decryption request from the user, retrieving a decryption volume key associated with the encrypted volume and decrypting, based on the decryption volume key, the encrypted partition, block by block, to enable the user to use the computing device during the decrypting as if the encrypted partition was already decrypted.
15. The non-transitory computer-readable storage medium of claim 14 , the instructions further comprising: maintaining an encryption progress status; and displaying the encryption progress status to the user.
16. The non-transitory computer-readable storage medium of claim 14 , the instructions further comprising: monitoring user disk accesses to the unencrypted volume; and when the user disk accesses exceed a first threshold, applying a back-off algorithm to temporarily stop encrypting the unencrypted volume until the user disk accesses fall below a second threshold.
17. The non-transitory computer-readable storage medium of claim 14 , the instructions further comprising: reserving the working space on the unencrypted volume.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 5, 2011
December 30, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.